Pia

11 Describe the purpose of the system.

The system will allow those with access to see what grants and contracts are available through periodic data uploads from grants.nih.gov, NIH RePORTER, beta.sam.gov, and the Federal Procurement Data System (FPDS.gov). The data uploaded from these sites will reduce the user’s reporting effort by prepopulating about 75% of the data input fields.

Consolidating the upcoming grants and contracts into this system will decrease the burden on the Historically Black Colleges and Universities HBCUs and businesses by giving them one site to access NIH funding opportunities. The information entered by an HBCU or a business is viewable only by that HBCU or business and the NIH Small Business Program Office (SBPO) staff.

Describe the type of information the system will

₁₂ collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask

about the specific data elements.)

The HBCU pre-solicitation portal uses specific login information to assign permissions/user roles which is considered Personally Identifiable Information (PII). However, this is done by using the NIH Identity, Credential, and Access

Question 12 Comments

Please specify All "Other Identifiers" stored in the system within your answer.

Provide an overview of the system and describe the

13 information it will collect, maintain (store), or share, either permanently or temporarily.

The HBCU pre-solicitation portal uses specific login information to assign permissions/user roles which is considered Personally Identifiable Information (PII). However,

Question 13 Comments

Please Do Not be concerned if Q12 and Q13 overlap/cover information that should be included in the other response. List "All" Personal Identifiable Information collected, maintained or shared.

Yes

14 Does the system collect, maintain, use or share PII?

No

Social Security Number Date of Birth

Name Photographic Identifiers Driver's License Number Biometric Identifiers

Mother's Maiden Name Vehicle Identifiers

E-Mail Address Mailing Address

Phone Numbers Medical Records Number

Medical Notes Financial Account Info

Certificates Legal Documents

₁₅ Indicate the type of PII that the system will collect or _{Education Records Device Identifiers} maintain.

Military Status Employment Status

Foreign Activities Passport Number Taxpayer ID

Question 15 Comments

Per Q12, please specify and list "Other Identifiers" in the free text.

Employees Public Citizens

_{Indicate the categories of individuals about whom PII} Business Partners/Contacts (Federal, state, local agencies)

¹⁶ is collected, maintained or shared. Vendors/Suppliers/Contractors

Patients

Other

Question 16 Comments

Per Q11, "System will decrease the burden on the Historically Black Colleges and Universities HBCUs and businesses by giving them one site to access NIH funding opportunities", whom are considered public citizens, please also select "Public Citizens" in your answer.

17 How many individuals' PII is in the system? _<100

_{18 For what primary purpose is the PII used?} Users accessing the system will be shown specific features.

Access based on their role.

₁₉ Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

n/a

20 Describe the function of the SSN. _n/a

20a Cite the legal authority to use the SSN. _n/a

₂₁ Identify legal authorities governing information use _n/a and disclosure specific to the system and program.

Are records on the system retrieved by one or more ^Yes

²² PII data elements? _No

Describe the method for individuals to opt-out of the

₂₇ collection or use of their PII. If there is no option to object to the information collection, provide a

reason.

There is no opt-out method for users since their email address is needed for authentication purposes. There is no collection of PII from the general public.

Describe the process to notify and obtain consent

^{from the individuals whose PII is in the system when} No major changes are expected to occur that would impact ^{major changes occur to the system (e.g., disclosure} the use of the email address. However, if changes were to

^{28 and/or data uses have changed since the notice at} occur, an email will be sent to the users to mention the

the time of original collection). Alternatively, describe _{changes and either obtain their consent or let them opt out of} why they cannot be notified or have their consent _{the system.}

obtained.

Describe the process in place to resolve an

^{individual's concerns when they believe their PII has} In the event if the user has any concern that their data is

^{29 been inappropriately obtained, used, or disclosed, or} inappropriately obtained, used, or disclosed, they have the ^{that the PII is inaccurate. If no process exists, explain} option to use the 'Contact Us' page to contact the OALM Staff. why not.

^{Describe the process in place for periodic reviews of} The Personally Identifiable Information (PII) data within OALM

₃₀ ^{PII contained in the system to ensure the data's} HBCU Tool will be backed up every day to ensure the data ^{integrity, availability, accuracy and relevancy. If no} availability and will be reviewed periodically to ensure the

processes are in place, explain why not. _{integrity of the data.}

₃₁ Identify who will have access to the PII in the system and the reason why they require access.

Users

To find partnership opportunities

Administrators

Administrators have access to the data and the main focus is to backup and restore data.

Developers

Contractors

Contractors maintaining the system

Others

Question 31 Comments

Please select "Contractors" if any type of contractors will have access to the PII in the system. Please specify if the contractors are direct contractors. Direct contractors are contractors that operate on behalf of the agency and use the agency's credentials when doing so.

The System Administrators are required to read the NIH IT ^{Describe the procedures in place to determine which} General Rules of Behavior (https://ocio.nih.gov/aboutus/

^{32 system users (administrators, developers,} publicinfosecurity/securitytraining/Pages/

^{contractors, etc.) may access PII.} NIH_IT_GeneralRulesofBehavior.aspx) document that details

General Security practices, data privacy and protection.

_{Describe the methods in place to allow those with} OALM HBCU Tool have role-based authorization to ensure least

_{33 access to PII to only access the minimum amount of} privilege access to the data in the system. An individual user’s

_{information necessary to perform their job.} access in terms of read/write/review within OALM HBCU Tool is

controlled by very strict role-based control.

Identify training and awareness provided to personnel (system owners, managers, operators,

₃₄ contractors and/or program managers) using the system to make them aware of their responsibilities

for protecting the information being collected and maintained.

The NIH Security Awareness Training course is used to satisfy this requirement. According to NIH policy, all personnel who use NIH applications must attend security awareness training every year. There are four categories of mandatory IT training (Information Security, Counterintelligence, Privacy Awareness, and Records Management). Training is completed on the http://irtsectraining.nih.gov site with valid NIH credentials.

Describe training system users receive (above and

35 beyond general security and privacy awareness training).

n/a

Do contracts include Federal Acquisition Regulation _Yes

36 and other appropriate clauses ensuring adherence to

privacy provisions and practices? ^No

Records are maintained within the HBCU pre-solicitation portal for a time of no less than six years after a password is altered or an user account is terminated in accordance with NARA record retention schedule: 3.2.031, System access records; Systems requiring special accountability for access; DAA-

GRS-2013-0006-0004

Records are maintained within the pre-solicitation portal for one year after the system is superseded by a new iteration or when no longer needed for agency/Information Technology (IT) administrative purposes to ensure a continuity of security controls throughout the life of the system in accordance with

Describe the process and guidelines in place with _{NARA record retention schedule:}

37 regard to the retention and destruction of PII. Cite _{3.2.010, Systems and data security records: DAA-} specific records retention schedules. _{GRS-2013-0006-0001}

General Records Schedule 3.2, Information Systems Security Records, Item 010, Systems and data security records.

Disposition Authority DAA-GRS-2013-0006-0002. Disposition: Temporary: Destroy 3 year(s) after all necessary follow-up actions have been completed

General Records Schedule 3.2, Information Systems Security Records, Item 030, System access records. Disposition Authority DAA-GRS-2013-0006-0003. Disposition: Temporary. Destroy when business use ceases.

Administrative Controls: &

Technical Controls: Access to the system is controlled by NIH log-in which authenticates the user prior to granting access. Access level and permissions are controlled by the system and based on user, role, organizational unit, and status of the report. All servers have been configured to remove all unused applications and system files and all local account access except when necessary to manage the system and maintain

Describe, briefly but with specificity, how the PII will ^{integrity of data.}

38 be secured in the system using administrative,

_{technical, and physical controls.} Physical Controls: The servers reside in the Center for

Information Technology (CIT) Computer Room where policies

and procedures are in place to restrict access to the machines. This includes guards at the front door and entrance to the machine room.

The System is hosted at NIH OIT within a secure Windows environment and can only be accessed by Administrators with authentication information. Technical controls such as firewall is in place to protect from unauthorized intrusions.

39 Identify the publicly-available URL: _{https://oamp.hbcu.od.nih.gov}

Yes

40 Does the website have a posted privacy notice?

No

Is the privacy policy available in a machine-readable ^{Yes 40a} format? _No

Does the website use web measurement and ^Yes

⁴¹ customization technology? _No

Does the website have any information or pages ^Yes

⁴² directed at children under the age of thirteen? _No

Does the website contain links to non- federal ^Yes

⁴³ government websites external to HHS? _No

REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV Senior Officer for Privacy.

Reviewer Questions Answer

Yes

1 Are the questions on the PIA answered correctly, accurately, and completely?

No

Reviewer

Notes

Does the PIA appropriately communicate the purpose of PII in the system and is the purpose ^Yes

² justified by appropriate legal authorities? _No

Reviewer

Notes

Do system owners demonstrate appropriate understanding of the impact of the PII in the ^Yes

³ system and provide sufficient oversight to employees and contractors? _No

Reviewer

Notes

Yes

4 Does the PIA appropriately describe the PII quality and integrity of the data?

No

Reviewer

Notes

Yes

5 Is this a candidate for PII minimization?

No

Reviewer

Notes

Yes

6 Does the PIA accurately identify data retention procedures and records retention schedules?

No

Reviewer

Notes

Yes

7 Are the individuals whose PII is in the system provided appropriate participation?

No

Reviewer

Notes